<!doctype html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<title></title>
	<link rel="stylesheet" type="text/css" href="http://paranoid.net.cn/semantic.css" >
</head>
<body>
<section-title-en>3.6 Software Attacks on Peripherals</section-title-en>
<section-title-ch>3.6 外围设备的软件攻击</section-title-ch>
<p-en>
	Threat models for secure architectures generally only consider software attacks that directly target other components in the software stack running on the CPU. This assumption results in security arguments with the very desirable property of not depending on implementation details, such as the structure of the motherboard hosting the processor chip.
</p-en>
<p-ch>
	安全架构的威胁模型一般只考虑直接针对运行在CPU上的软件栈中的其他组件的软件攻击。这种假设导致安全论证具有非常理想的属性，即不依赖于实现细节，如承载处理器芯片的主板结构。
</p-ch>
<p-en>
	The threat models mentioned above must classify attacks from other motherboard components as physical attacks. Unfortunately, these models would mis-classify all the attacks described in this section, which can be carried out solely by executing software on the victim processor. The incorrect classification matters in cloud computing scenarios, where physical attacks are significantly more expensive than software attacks.
</p-en>
<p-ch>
	上述威胁模型必须将来自其他主板组件的攻击归类为物理攻击。不幸的是，这些模型会错误地将本节所述的所有攻击分类，这些攻击完全可以通过在受害者处理器上执行软件来进行。在云计算场景中，错误的分类很重要，因为物理攻击比软件攻击的成本高得多。
</p-ch>
<p-en>3.6.1 PCI Express Attacks</p-en>
<p-ch>3.6.1 PCI Express攻击</p-ch>
<p-en>
	The PCIe bus (§2.9.1) allows any device connected to the bus to perform Direct Memory Access (DMA), reading from and writing to the computer's DRAM without the involvement of a CPU core. Each device is assigned a range of DRAM addresses via a standard PCI configuration mechanism, but can perform DMA on DRAM addresses outside of that range.
</p-en>
<p-ch>
	PCIe总线(§2.9.1)允许连接到总线的任何设备执行直接内存访问(DMA)，即在没有CPU内核参与的情况下从计算机的DRAM读写。每个设备都通过标准的PCI配置机制分配了一个DRAM地址范围，但可以在该范围之外的DRAM地址上执行DMA。
</p-ch>
<p-en>
	Without any additional protection mechanism, an attacker who compromises system software can take advantage of programmable devices to access any DRAM region, yielding capabilities that were traditionally associated with a DRAM bus tap. For example, an early implementation of Intel TXT [70] was compromised by programming a PCIe NIC to read TXT-reserved DRAM via DMA transfers [190]. Recent versions have addressed this attack by adding extra security checks in the DMA bus arbiter. §4.5 provides a more detailed description of Intel TXT.
</p-en>
<p-ch>
	在没有任何额外的保护机制的情况下，破坏系统软件的攻击者可以利用可编程设备访问任何DRAM区域，产生传统上与DRAM总线分路相关的功能。例如，英特尔TXT[70]的早期实现通过编程PCIe NIC来通过DMA传输[190]读取TXT预留的DRAM而被入侵。最近的版本通过在 DMA 总线仲裁器中增加额外的安全检查来解决这种攻击。 §4.5 提供了对 Intel TXT 更详细的描述。
</p-ch>
<p-en>3.6.2 DRAM Attacks</p-en>
<p-ch>3.6.2 DRAM攻击</p-ch>
<p-en>
	The rowhammer DRAM bit-flipping attack [72, 119, 166] is an example of a different class of software attacks that exploit design defects in the computer's hardware. Rowhammer took advantage of the fact that some mobile DRAM chips (§2.9.1) refreshed the DRAM's contents slowly enough that repeatedly changing the contents of a memory cell could impact the charge stored in a neighboring cell, which resulted in changing the bit value obtained from reading the cell. By carefully targeting specific memory addresses, the attackers caused bit flips in the page tables used by the CPU's address translation (§2.5) mechanism, and in other data structures used to make security decisions.
</p-en>
<p-ch>
	Rowhammer DRAM翻位攻击[72，119，166]是另一类软件攻击的一个例子，它利用了计算机硬件的设计缺陷。Rowhammer利用了一些移动DRAM芯片(§2.9.1)刷新DRAM的内容足够慢的事实，反复改变一个内存单元的内容可能会影响相邻单元中存储的电荷，从而导致改变读取单元得到的位值。攻击者通过小心翼翼地瞄准特定的内存地址，在CPU的地址转换(§2.5)机制所使用的页表中，以及在其他用于做出安全决策的数据结构中，造成位翻转。
</p-ch>
<p-en>
	The defect exploited by the rowhammer attack most likely stems from an incorrect design assumption. The DRAM engineers probably only thought of nonmalicious software and assumed that an individual DRAM cell cannot be accessed too often, as repeated accesses to the same memory address would be absorbed by the CPU's caches (§2.11). However, malicious software can take advantage of the CLFLUSH instruction, which flushes the cache line that contains a given DRAM address. CLFLUSH is intended as a method for applications to extract more performance out of the cache hierarchy, and is therefore available to software running at all privilege levels. Rowhammer exploited the combination of CLFLUSH's availability and the DRAM engineers' invalid assumptions, to obtain capabilities that are normally associated with an active DRAM bus attack.
</p-en>
<p-ch>
	rowhammer攻击所利用的缺陷很可能源于一个错误的设计假设。DRAM工程师可能只想到了非恶意软件，并假设单个DRAM单元不能被过于频繁地访问，因为对同一内存地址的重复访问会被CPU的缓存所吸收（§2.11）。然而，恶意软件可以利用CLFLUSH指令，刷新包含给定DRAM地址的缓存行。CLFLUSH旨在为应用程序提供一种从缓存层次结构中提取更多性能的方法，因此，以所有特权级别运行的软件都可以使用。Rowhammer利用CLFLUSH的可用性和DRAM工程师的无效假设相结合，获得了通常与主动DRAM总线攻击相关的能力。
</p-ch>
<p-en>3.6.3 The Performance Monitoring Side Channel</p-en>
<p-ch>3.6.3 性能监控侧通道</p-ch>
<p-en>
	Intel's Software Development Manual (SDM) [101] and Optimization Reference Manual [96] describe a vast array of performance monitoring events exposed by recent Intel processors, such as branch mispredictions (§2.10). The SDM also describes digital temperature sensors embedded in each CPU core, whose readings are exposed using Model-Specific Registers (MSRs) (§2.4) that can be read by system software.
</p-en>
<p-ch>
	英特尔的《软件开发手册》(SDM)[101]和《优化参考手册》[96]描述了最新的英特尔处理器所暴露的大量性能监测事件，例如分支错误预测(§2.10)。SDM还描述了嵌入在每个CPU内核中的数字温度传感器，其读数通过模型专用寄存器（MSRs）（§2.4）暴露出来，可由系统软件读取。
</p-ch>
<p-en>
	An attacker who compromises a computer's system software and gains access to the performance monitoring events or the temperature sensors can obtain the information needed to carry out a power analysis attack, which normally requires physical access to the victim computer and specialized equipment.
</p-en>
<p-ch>
	攻击者如果入侵计算机的系统软件，并获得性能监控事件或温度传感器的访问权限，就可以获得实施功率分析攻击所需的信息，这通常需要对受害者计算机进行物理访问和专门设备。
</p-ch>
<p-en>3.6.4 Attacks on the Boot Firmware and Intel ME</p-en>
<p-ch>3.6.4 对启动固件和Intel ME的攻击</p-ch>
<p-en>
	Virtually all motherboards store the firmware used to boot the computer in a flash memory chip (§2.9.1) that can be written by system software. This implementation strategy provides an inexpensive avenue for deploying firmware bug fixes. At the same time, an attack that compromises the system software can subvert the firmware update mechanism to inject malicious code into the firmware. The malicious code can be used to carry out a cold boot attack, which is typically considered a physical attack. Furthermore, malicious firmware can run code at the highest software privilege level, System Management Mode (SMM, §2.3). Last, malicious firmware can modify the system software as it is loaded during the boot process. These avenues give the attacker capabilities that have traditionally been associated with DRAM bus tapping attacks.
</p-en>
<p-ch>
	几乎所有的主板都将用于启动计算机的固件存储在闪存芯片(§2.9.1)中，可以由系统软件写入。这种实现策略为部署固件错误修复提供了一个廉价的途径。同时，破坏系统软件的攻击可以颠覆固件更新机制，将恶意代码注入到固件中。恶意代码可以用来进行冷启动攻击，这通常被认为是一种物理攻击。此外，恶意固件可以在最高软件权限级别--系统管理模式（SMM，§2.3）下运行代码。最后，恶意固件可以在启动过程中加载系统软件时对其进行修改。这些途径使攻击者具备了传统上与DRAM总线窃听攻击相关的能力。
</p-ch>
<p-en>
	The Intel Management Engine (ME) [162] loads its firmware from the same flash memory chip as the main computer, which opens up the possibility of compromising its firmware. Due to its vast management capabilities (§2.9.2), a compromised ME would leak most of the powers that come with installing active probes on the DRAM bus, the PCI bus, and the System Management bus (SMBus), as well as power consumption meters. Thanks to its direct access to the motherboard's Ethernet PHY, the probe would be able to communicate with the attacker while the computer is in the Soft-Off state, also known as S5, where the computer is mostly powered off, but is still connected to a power source. The ME has significantly less computational power than probe equipment, however, as it uses low-power embedded components, such as a 200-400MHz execution core, and about 600KB of internal RAM.
</p-en>
<p-ch>
	英特尔管理引擎(ME)[162]从与主计算机相同的闪存芯片中加载其固件，这就为其固件泄露提供了可能。由于其庞大的管理能力(§2.9.2)，被入侵的ME将泄露大部分权力，在DRAM总线、PCI总线和系统管理总线(SMBus)上安装主动探针，以及功耗表。由于其直接访问主板的以太网PHY，探头将能够在计算机处于Soft-Off状态（也就是S5状态）时与攻击者进行通信，在该状态下，计算机大部分时间都处于关机状态，但仍与电源相连。不过，ME的计算能力明显低于探测设备，因为它使用的是低功耗的嵌入式组件，如一个200-400MHz的执行核心，以及约600KB的内部RAM。
</p-ch>
<p-en>
	The computer and ME firmware are protected by a few security measures. The first line of defense is a security check in the firmware's update service, which only accepts firmware updates that have been digitally signed by a manufacturer key that is hard-coded in the firmware. This protection can be circumvented with relative ease by foregoing the firmware's update services, and instead accessing the flash memory chip directly, via the PCH's SPI bus controller.
</p-en>
<p-ch>
	计算机和ME固件受到一些安全措施的保护。第一道防线是固件的更新服务中的安全检查，它只接受由固件中硬编码的制造商密钥进行数字签名的固件更新。通过放弃固件的更新服务，而直接通过PCH的SPI总线控制器访问闪存芯片，可以比较容易地规避这种保护。
</p-ch>
<p-en>
	The deeper, more powerful, lines of defense against firmware attacks are rooted in the CPU and ME's hardware. The bootloader in the ME's ROM will only load flash firmware that contains a correct signature generated by a specific Intel RSA key. The ME's boot ROM contains the SHA-256 cryptographic hash of the RSA public key, and uses it to validate the full Intel public key stored in the signature. Similarly, the microcode bootstrap process in recent CPUs will only execute firmware in an Authenticated Code Module (ACM, §2.13.2) signed by an Intel key whose SHA-256 hash is hard-coded in the microcode ROM.
</p-en>
<p-ch>
	更深层次的、更强大的、抵御固件攻击的防线植根于CPU和ME的硬件中。ME的ROM中的bootloader只会加载包含特定英特尔RSA密钥生成的正确签名的闪存固件。ME的引导ROM中包含RSA公钥的SHA-256加密哈希，并使用它来验证签名中存储的完整英特尔公钥。同样，最近的CPU中的微码引导过程只会执行由英特尔密钥签署的认证代码模块（ACM，§2.13.2）中的固件，该密钥的SHA-256哈希值被硬编码在微码ROM中。
</p-ch>
<p-en>
	However, both the computer firmware security checks [54, 192] and the ME security checks [178] have been subverted in the past. While the approaches described above are theoretically sound, the intricate details and complex interactions in Intel-based systems make it very likely that security vulnerabilities will creep into implementations. Further proving this point, a security analysis [185] found that early versions of Intel's Active Management Technology (AMT), the flagship ME application, contained an assortment of security issues that allowed an attacker to completely take over a computer whose ME firmware contained the AMT application.
</p-en>
<p-ch>
	然而，计算机固件安全检查[54，192]和ME安全检查[178]在过去都被颠覆过。虽然上述方法在理论上是合理的，但基于英特尔的系统中错综复杂的细节和复杂的相互作用，使得安全漏洞极有可能悄然进入实现中。进一步证明了这一点，一项安全分析[185]发现，英特尔的旗舰ME应用--主动管理技术(AMT)的早期版本包含各种安全问题，允许攻击者完全接管ME固件包含AMT应用的计算机。
</p-ch>
<p-en>3.6.5 Accounting for Software Attacks on Peripherals</p-en>
<p-ch>3.6.5 外围设备上的软件攻击说明</p-ch>
<p-en>
	The attacks described in this section show that a system whose threat model assumes no software attacks must be designed with an understanding of all the system's buses, and the programmable devices that may be attached to them. The system's security analysis must argue that the devices will not be used in physical-like attacks. The argument will rely on barriers that prevent untrusted software running on the CPU from communicating with other programmable devices, and on barriers that prevent compromised programmable devices from tampering with sensitive buses or DRAM.
</p-en>
<p-ch>
	本节描述的攻击表明，一个系统的威胁模型假设没有软件攻击，在设计时必须了解系统的所有总线，以及可能连接到总线上的可编程设备。系统的安全分析必须论证这些设备不会被用于类似物理攻击。该论证将依赖于防止在CPU上运行的不受信任的软件与其他可编程设备通信的障碍，以及防止受损害的可编程设备篡改敏感总线或DRAM的障碍。
</p-ch>
<p-en>
	Unfortunately, the ME, PCH and DMI are Intel proprietary and largely undocumented, so we cannot assess the security of the measures set in place to protect the ME from being compromised, and we cannot reason about the impact of a compromised ME that runs malicious software.
</p-en>
<p-ch>
	遗憾的是，ME、PCH和DMI都是英特尔的专利产品，而且基本没有文档，因此我们无法评估为保护ME不被入侵而设置的措施的安全性，也无法推理出运行恶意软件的入侵ME的影响。
</p-ch>


</body>
</html>	